Plattform
python
Komponente
event-driven-ansible
Behoben in
*
A critical vulnerability has been identified in the Event-Driven Ansible (EDA) component of the Ansible Automation Platform. This flaw stems from the mishandling of user-supplied Git branch or refspec values, which are evaluated as Jinja2 templates. Successful exploitation allows authenticated users to inject malicious expressions, leading to command execution or sensitive file access on the EDA worker, with potential service account token theft in OpenShift environments. Affected versions include 1.1.11-1.el8ap-*.
The impact of CVE-2025-49521 is significant due to the ability of authenticated users to execute arbitrary commands on the EDA worker. This could lead to complete system compromise, data exfiltration, and disruption of automation workflows. In OpenShift deployments, the vulnerability presents a particularly severe risk, as attackers can potentially steal service account tokens, enabling lateral movement and privilege escalation within the cluster. The ability to access sensitive files further expands the attack surface, potentially exposing credentials, configuration data, or other confidential information. This vulnerability shares similarities with other Jinja2 template injection flaws, where improper sanitization of user input allows for code execution.
CVE-2025-49521 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's severity and potential impact suggest a medium probability of exploitation. The vulnerability was publicly disclosed on 2025-06-30. Active campaigns targeting this vulnerability are not currently confirmed, but security teams should remain vigilant and monitor their Ansible Automation Platform deployments.
Organizations heavily reliant on Event-Driven Ansible for automation workflows, particularly those deploying Ansible Automation Platform within OpenShift environments, are at significant risk. Legacy configurations with permissive Git access controls and shared hosting environments where multiple users have access to the EDA worker are also particularly vulnerable.
• python / server:
import os
import subprocess
# Example: Check for suspicious Jinja2 template usage in EDA worker logs
with open('/var/log/eda/worker.log', 'r') as f:
for line in f:
if 'jinja2.Environment.from_string' in line:
print(f'Potential Jinja2 template injection attempt: {line}')• python / supply-chain: Monitor EDA worker processes for unusual command-line arguments or network connections. • generic web: Review EDA worker access logs for requests containing suspicious Git branch or refspec values.
disclosure
Exploit-Status
EPSS
0.14% (33% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-49521 is to upgrade to a patched version of Event-Driven Ansible as soon as it becomes available. Until an upgrade is possible, several workarounds can be implemented to reduce the risk. First, strictly restrict the allowed Git branch and refspec input to prevent malicious expressions from being injected. Second, review and minimize the permissions granted to the EDA worker to limit the potential impact of a successful attack. Consider implementing a Web Application Firewall (WAF) or proxy to filter potentially malicious requests. Regularly monitor EDA worker logs for suspicious activity, such as attempts to execute commands or access unauthorized files. After upgrading, confirm the fix by attempting to trigger the vulnerable Git operation with a known malicious payload and verifying that it is properly sanitized.
Actualice Red Hat Ansible Automation Platform a la última versión disponible. Esto solucionará la vulnerabilidad de inyección de plantillas Jinja2. Consulte el aviso de seguridad RHSA-2025:9986 para obtener más detalles e instrucciones de actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49521 is a HIGH severity vulnerability in Event-Driven Ansible allowing authenticated users to inject Jinja2 templates, potentially executing commands or accessing sensitive files on the EDA worker.
If you are using Event-Driven Ansible version 1.1.11-1.el8ap-* or earlier, you are potentially affected by this vulnerability. Upgrade as soon as possible.
The recommended fix is to upgrade to a patched version of Event-Driven Ansible. Until then, restrict Git branch/refspec input and review EDA worker permissions.
Active exploitation is not currently confirmed, but the vulnerability's severity warrants vigilance and proactive mitigation.
Refer to the official Red Hat security advisory for details and updates regarding CVE-2025-49521.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.